Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 19:56

General

  • Target

    13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe

  • Size

    1.1MB

  • MD5

    1ec3aacd70ffb14f3431a57abacb988b

  • SHA1

    63df42986534930ba0c24c539caa0c5be4d39f4a

  • SHA256

    13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d

  • SHA512

    633c9ecc1d5213b1e01249a67cca3e530db44b21147a47ba87d8bc7985265b28778f5426d11e105fb0a1dbef94bd386fa2f71a6f669ae51cf92d979d08ddc7ce

  • SSDEEP

    24576:Wf9AiKGpEoQpkN2C4McuKo0GTNJpyT5RGeQa0s:W+GtCi27mVHyT+a0s

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe
        "C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A6D.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3492
          • C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe
            "C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe"
            4⤵
            • Executes dropped EXE
            PID:3080
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

      Filesize

      247KB

      MD5

      c956a319f9e83c47efe8f30acbcab757

      SHA1

      f964d8f25a289f378a4024c3fa1f5e5c434547e8

      SHA256

      fc6f3029b993595c3371740bbc1f7efa4b17d5aca1daea44987e39f38a3025f9

      SHA512

      f66f2b06c720f27da9f6348d25cf1dd7035d87968293e72191eb005f74cf953546f7e3533f7d269dfa291c827b2efa072f5ae3134f86e4afaba6352cdc92282d

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      573KB

      MD5

      39a67a77ab1a78736038d9ae9dacd472

      SHA1

      26a271cd615916609a10d6faff8b0c50933625b3

      SHA256

      d5368cca1488205a338f6c4164ad686df03b43f22f303489eb8f079880295be4

      SHA512

      8c0da41980ae18d3bfea44dc6f2b8db6dae72356230c4496433f875e83fe84dc63dc4ee1a6f161ad7a69a53627d6d5f0e3ac7060f00adc2b3c5b5f623f9568e9

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

      Filesize

      639KB

      MD5

      fd93240910d7b1f0744b83d0f7bc706a

      SHA1

      508d162f4e5c8541f6cc1389a9f83c049bf848c0

      SHA256

      3803edada5f998dc92eb477e572fb4785eb4003285dab3ad2e0bc269e7ff2152

      SHA512

      d6f65e92a7afddd3e1879449a64943daeaa435fa217f386f7bee28a602a091998bf31bc29c01879228e705dcef59794c3361aa4b3417a2b653d9d40aaf764500

    • C:\Users\Admin\AppData\Local\Temp\$$a8A6D.bat

      Filesize

      722B

      MD5

      89fc7da3ee1b40b17aea4779a4ef46ab

      SHA1

      dd83c1d46f6e66e97ed2e89cd7282aa581b33f63

      SHA256

      a7190ccc33553bf70f460f242d05016ad9024b1c415fd82cbdffcd649d342cec

      SHA512

      65f1dbb32a474297f10ab33a3226aa9de5e3a1c398fc7bf3b5e758705571eecad3756e356011ce675ceb5b98508a4797c623511622ff47ea2d69541b063500fe

    • C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe.exe

      Filesize

      1.1MB

      MD5

      09239e688ff75cd636ac932100b243f9

      SHA1

      2a7964c81b9a34bb77c4e3676e7d31b7d2668297

      SHA256

      a36ef4c18a08ee8d8c0d10d96ab37a0c3ce22a8f328733af8c0451579e4edcb1

      SHA512

      686708321d8756ddcfa2d1585ca7261be0ece33bd9d134888cdb4655b8484c727b34b4ac7f12d919184e85ab65088bc565549c262289cb64f9aeca0508290825

    • C:\Windows\Logo1_.exe

      Filesize

      29KB

      MD5

      44e459665555aa71b27739a4c8e0ce2e

      SHA1

      a356a45529a77684280cab95f9658263facadedc

      SHA256

      791918b0fdd6d93878a051a648a2d60d04f2e12fb5428d138dcc2b63fbf94c13

      SHA512

      ede586c602defafd40a4507989f664d3345a5b0b2172251e10f84d87e44ee56b9546e04c7f7aeb621d72be7714de56f01ca06c0cf266938165d3408cc92969b7

    • F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini

      Filesize

      9B

      MD5

      79a2fb76ad00a8ac07f11b6a179f5297

      SHA1

      72b4f589fd7945d8c80b370d1d3a1f2467f3eb81

      SHA256

      2f723e98c3a3556269a4d81d4a27d6a0ab13a84c5ba737493c07354a2608684f

      SHA512

      3a21c2e60e8e035fb90d428e86bb927077d8354a16f1abc291ccba4a4d7fee4f51cf781fa9202e5602a88ca70a6ba264ac49762100be5f6e09a2ec930e098168

    • memory/3636-27-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3636-34-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3636-37-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3636-20-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3636-1233-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3636-4792-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3636-13-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/3636-5237-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4956-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4956-10-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB